In this report

There is the sheer size of the incident: Tens and maybe hundreds of millions of accounts could be involved; it’s possibly the biggest commercial breach ever. There is also the timing: The company released the news Jan. 20, apparently hoping to avoid attention while the country focused on President Barack Obama’s inauguration.

And there is the way the breach was discovered. The malware was sitting on Heartland’s system for who knows how long, and nothing was discovered until credit card companies started pointing out suspicious activity on stolen accounts last year.

But what I find most disturbing is the company’s continuing state of denial about the disaster. Spokesmen repeatedly assured the public that the only information stolen was cardholders’ names and account numbers. Nothing to worry about there. The company set up a Web site at www.2008breach.com to provide information about the incident and offer advice to cardholders. As of this writing, the site consists of a press release extolling the virtues of Heartland.

“I couldn’t be prouder of our entire organization for the way everyone has pulled together to help,” said Robert Carr, Heartland’s chairman and chief executive officer.

What about the cardholders? “Consumers will know if their card account numbers have been used by reviewing their monthly statements,” according to the company. In other words, you’re on your own.

Some observers claim that the private sector is ahead of the government in protecting sensitive data because it is easier for companies to quantify the data’s value; for them, security is a matter of dollars and cents.

That might be true, but the Heartland breach shows that when moral and ethical imperatives are removed, security can become primarily a PR issue. Heartland can crow on its breach-information site that it has “added more than 400 merchants to it client base in the past few days.” That’s cold comfort for the consumers whose credit cards have been compromised.

Maybe this is an area in which the government has an advantage. Unable to reduce data breaches to a matter of quarterly revenue and shareholder value, the security of personal data is a matter of right and wrong rather than profit and loss. That is not to say that agencies have perfected their security or are not keenly aware of the PR implications of a breach. The Veterans Affairs Department suffered a terrible black eye in the wake of its disastrous data breach a few years ago.

But it is not as easy for agencies to sweep incidents under a carpet of happy talk. In the end, the quality of their security will be judged by how well they secure data — not whether they continue to produce a profit.

About the Author

William Jackson is freelance writer and the author of the CyberEye blog.